Sophos Mobile: How to move from ‘Device Admin’ to ‘Android Enterprise’

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.

This article outlines the high-level steps involved in moving devices from ‘Device Admin’ management to Android Enterprise. For details on setting up Android Enterprise, please refer to the Sophos Mobile admin guide.

 

Android Enterprise replaces ‘Device Admin’

‘Device Admin’ is the former mode of managing Android devices. Google encourages all customers to now use its successor, Android Enterprise, which is fully supported in Sophos Mobile.

For some background information on Android Enterprise, please see this article.

 

Moving from ‘Device Admin’ to Android Enterprise

Devices that are currently managed in ‘Device Admin’ mode can be re-enrolled in Android Enterprise management. The enrolment method and options depend on whether the device is going to be in ‘Full Device Management’ or ‘Work Profile’ mode.

Enrolling in Android Enterprise Full Device Management

Enrolling a device in Android Enterprise Full Device Management requires a new or wiped device. Customers can move as part of the device lifecycle refresh or by factory resetting existing devices.

Note: A factory reset can be done remotely via the ‘Wipe’ command in Sophos Mobile

Enrol devices via one of the below methods:

  • Add device wizard – select a user, create a new device, and assign a task bundle that includes an Android Enterprise Full Device policy – enrol the device by entering the afw#sophos credentials
  • Sophos Self service portal – a user logs into the Self Service portal, registers a new device and receives information on how to enrol using the afw#sophos credentials
  • QR code enrolment – start the device and scan a QR code to begin enrolment
  • Zero-touch enrolment – devices are configured to automatically enrol when switched on

 

Note: The Sophos Mobile admin guide provides more specific details on each of these options. Please refer to this for further information.

 

 

Enrolling in Android Enterprise Work Profile

Enrolling in Android Enterprise Work Profile does not require a factory reset, but it does require the existing ‘Device Admin’ management to be removed.

  • Locate device in the Sophos Mobile console – select Actions> Unenroll
  • Delete the device (this avoids duplication when the device is re-enrolled) – select Actions> Delete

Note: Now the Sophos Mobile Control app is still installed, but the device is no longer managed

Re-enrol the device via one of the below options:

  • Add device wizard – select a user, create a new device, and assign a Task Bundle that includes a Work Profile policy. On the device, open the Sophos Mobile app and scan the QR code to set up the Work Profile
  • Sophos Self service portal – a user logs into the Self Service portal, registers a new device and receives information on how to scan the QR code and set up the Work Profile

Note: The Sophos Mobile admin guide provides more specific details on each of these options. Please refer to this for further information.



Updated the disclaimer
[edited by: Gladys at 5:05 AM (GMT -7) on 6 Apr 2023]